Pages

Saturday, December 14, 2013

Policy needs to get out of the way of good Patient Identity management

I am reviewing the materials that are being presented to the ONC Patient Matching Meeting on Monday December 16th. These materials are fantastic. There is much work that has gone into the current investigation. Detailed and constructive research. There is research on why patient matching isn't working, what technical issues are in the way.

THE PROBLEM IS NOT TECHNICAL. The problem is Policy. This is not to say there are not technical issues, there certainly are problems with current technology. No matter what the policy solution is, technology will need to change. We need to get the policy out of our way so that we can apply technology to that solution. Right now Policy is in the way!

Here is a quote from the report that illuminates the problem

The research questions did not include any specific questions on unique patient identifiers; however, many of the environmental scan participants indicated that their organizations support the study and development of a universal patient identifier (either mandated or voluntary). At the same time, there was acknowledgement that it would not eliminate the need for patient matching methods/programs and would take a number of years to have an impact.

The problem is that in the USA there are rules and prevailing-wind against a universal patient identifier. I understand why this is, it is for good privacy reasons. BUT the result is a far worse privacy issue, and one that also causes Safety issues and Financial issues.

Healthcare needs a high-quality universal identity. I say this not just because it would solve the 'patient matching' problem, but also because I truly believe that it will solve PRIVACY issues, Safety, and Financial issues. I assert that Universal Health ID Enables Privacy

With a high-quality universal patient identity we will need to only communicate that opaque identity when requesting information. It works just as well in push use-cases. A Patient can express their Privacy preferences/consent using this high-quality universal patient identifier and it will be applicable for ALL uses of that identifier. Indeed the Accounting of Disclosures or even the Access Log is much easier to implement.

The problem with universal patient identifier: I recognize the privacy worry about a universal patient identifier, but this problem is far better solved in the POLICY space. Solved through simple rules. The universal patient identifier MUST NOT be used for any purpose other than the provision of healthcare or payment of such. I am sure there are other parts of this 'simple rule', but I am sure it is more approachable in Policy than anywhere else.

Who should provide this high-quality universal patient identifier? Very good question that I wish I had a good answer for. In most of Europe they are the national identifier, we should look to Europe for both the solution and how they handle the privacy issues. I am also willing to say that the identifier could be a patient selected identifier, ala Voluntary Patient Identifier. I just want it to be high-quality, which means it needs to be backed by good solid identity proofing. One can only outsource your identity proofing if you trust everyone that you are outsourcing your identity proofing to. In healthcare we are outsourcing our identity proofing to everyone, yet no-one.

If you as a human opt-out of getting a universal patient identifier, then you can't be covered by insurance, no deferred billing available, and your historic information can't be used. You are allowed to do this, but you will need to pay up-front for any healthcare and you will need to pay for extra tests each time you are seen since no historic knowledge can be brought forward. Further your data will be marked with your demographics, not an opaque universal identifier. YES, there is a price to your behavior, but it is your choice.

Conclusion:
We need to drop this archaic policy against a universal patient identifier. Move the policy to where it can be effective, and issue high-quality patient identifier.

About Me

The information posted here are mine and not necessarily represent By Light Professional IT Services Inc. I am a Standards Architect specializing in Standards Architecture in Interoperability, Security, and Privacy for By Light Professional IT Services Inc. Primarily involved in the international standards development and the promulgation of those standards. Co-chair of the HL7 Security workgroup, a member of the FHIR Management Group, FHIR core team, and co-chair of IHE IT Infrastructure Planning Committee. Participate in ASTM, DICOM, HL7, IHE, ISO/TC-215, Kantara, W3C, IETF, OASIS-Open, and other. Was a core member of the Direct Project specification writing, authoring the security section, and supporting risk assessment. Active in many regional initiatives such as the S&I Framework, SMART, HEART, CommonWell, Carequality, Sequoia (NwHIN-Exchange), and WISHIN. Active in the Healthcare standardization since 1999, during which time authored various standards, profiles, and white papers.

Surely there are other copyright and trademarks that I should recognize, but everyone else seems to be reasonable; expecting readers of blogs know that I am not trying to claim or take ownership of their copyright and trademarks.